Discovery Security Concerns

kurtdean
Kilo Contributor

‎10-25-2017 09:03 AM

Hi All,

Some of my business units are concerned that allowing authenticated discovery will create a massive vulnerability in the following scenario:

  • A malicious user gains access to our instance with an administrative or other powerful role
  • A custom probe is created containing dangerous code that can be executed on one or more hosts. It could delete everything on a file system, or steal data, or anything you can imagine doing with malicious code.
  • The discovery is kicked off by this user and the code executes, causing mayhem and world war three.

My answer to this risk includes mitigating controls:

  • Access to our SN instance requires MFA, reducing the likelihood of an outside attack.
  • Administrative roles able to create and execute discovery are limited, and actions are logged.
  • Accounts used for discovery should be limited in what they are able to do. Sudo is required to return many useful results, but accounts can be limited to running specific commands.

I'm sure we can lock it down further by only providing the service account during discovery, and removing it or changing the password each time, but this will add overhead to the process.

My questions:

  • Is the scenario above realistic?
  • Are there other approaches to mitigate this risk not mentioned?
  • Is there a comprehensive guide to creating hardened service accounts for discovery that we can reference?

Thanks!

Kurt

Labels:
0 Helpfuls
  • 3,751 Views
9 REPLIES 9

danjohnson
ServiceNow Employee
ServiceNow Employee

‎11-03-2017 08:33 AM

Have you also had a look through the Instance Hardening Guide?


kurtdean
Kilo Contributor

‎11-17-2017 07:15 AM

Thanks everyone for their input. All of the suggestions are good stuff, but I think in order to satisfy these concerns we need some kind of "offline" discovery.



Are there any solutions that can run standalone without communicating with the instance? We need something that will run and capture assets locally to a database that can be exported and then separately imported to the CMDB.


0 Helpfuls

bernyalvarado
Mega Sage
In response to kurtdean

‎11-17-2017 02:26 PM

Hi Kurt, indeed. There are many option out there. Even using something as basic as nmap is an option



Thanks,


Berny


0 Helpfuls

bernyalvarado
Mega Sage
In response to kurtdean

‎11-17-2017 02:26 PM

I hope that helps


0 Helpfuls

d_hertel
Mega Contributor
In response to kurtdean

‎11-22-2017 08:53 AM

Yes, there are a variety of off-line scanning solutions that could collect HW/SW data (completely separate from Disco of course).   And then the results imported via an integration job.     A company I recently heard about for this type of scenario is https://opmantek.com/       I haven't used it but it maybe worth checking out....



If you do try it, please reply I'd be curious to hear your experience


0 Helpfuls